return to table of content

Zed Editor automatically downloads binaries and NPM packages without consent

theultdev
43 replies
6d11h

I don't really see the big deal here. Who wants to approve and configure all of their language servers?

If you open a file for that language, is there ever a time you would deny the download?

I just don't want a huge amount of popups like VSCode.

Also, the binaries are downloaded from their release on github. As long as that is secure I don't see a problem.

mxsjoberg
10 replies
6d10h

I don't really see the big deal here. Who wants to approve and configure all of their language servers?

everyone

If you open a file for that language, is there ever a time you would deny the download?

every time

default should be offline imo. want to download something? do it manually and place in folder etc

Dobbs
6 replies
6d10h

Just migrated from Vim to NeoVim. Downloading and configuring all the various LSPs has genuinely been one of the most frustrating aspects.

nrabulinski
2 replies
6d9h

Then you’d click the „yes and never ask me again” if a prompt about whether you want to download a random binary showed up. But a lot of people wouldn’t want to click that and would either click „no and never ask me again” or vet each case one by one

theultdev
1 replies
6d2h

How are you going to "vet" the language server when it pops up?

It's not a "random binary" either, it's a hosted binary for language features coming from the zed developers github release.

Even if the binary was compiled on demand when you clicked the button, were you going to go through the entire source of node to verify?

wtetzner
0 replies
3d20h

How are you going to "vet" the language server when it pops up?

You may not vet the source of the language server, but you might want to determine which ones you are willing to trust/take the risk, and which ones you aren't.

Woshiwuja
1 replies
6d9h

just use mason

Dobbs
0 replies
6d7h

mason can install them, but there isn't a way to "ensure-installed" built in. So that was a second package I needed. Then I needed a third package to configure things.

Maybe I'm missing something, but it was definitely more complicated than "just use mason".

setopt
0 replies
6d8h

With Vim + ALE this is dead easy: Install LSP servers via your OS package manager, and ALE will find them in $PATH and use them.

If you want to use NeoVim, then LSP-zero + Mason was also a decent experience last I tried.

octernion
0 replies
3d23h

a classic HN comment! "everyone is just like me"

absolutely incorrect, i loved that it does it for me and do not care even in the slightest and in fact this is 1000x preferable to vscode asking me.

what on earth made you think this was a reasonable reply.

morgante
0 replies
6d9h

everyone

Are you really so self-centered that you can't imagine anyone doesn't care?

I'll raise my hand and say I personally am happy to trust Zed and am fine with auto-installing whatever binaries they propose.

I do think it's reasonable to have an option for people with different security postures, but don't assume you speak for everyone.

KomoD
0 replies
6d4h

everyone

Not true, everyone is not you, I don't want to.

compootr
10 replies
6d11h

I don't really see the big deal here

Here's an idea: someone sends a dev at some company, or even a freelancer, some code. Code references a module with a malicious npm package (say, with a postinstall script). Dev opens it in zed

Now, my untrusted code is running on your machine, probably without your knowledge

broeng
6 replies
6d11h

Why the hell does npm support a postinstall script? There really shouldn't be a need to run arbitrary code provided by the package for something like this.

ErikBjare
4 replies
6d10h

It also supports preinstall and install scripts, for more obvious reasons.

broeng
3 replies
6d8h

I don't really think thats more obvious. It's expected to install dev libraries, not system services, it shouldn't have that need.

andyferris
1 replies
6d8h

NodeJS isn't very sandboxed. Many "dev libraries" are native and will either download and link to binary blobs, or build e.g. C code, which AFAICT is what all the various install scripts are for.

broeng
0 replies
6d5h

It seems like a bad design choice, that, besides allowing for running untrusted code directly at download time, also makes it difficult to properly mirror artifacts, and I'd assume, make platform portability inconsistent, at best.

deafpolygon
0 replies
6d8h

dependency checking isn't simple

nijave
0 replies
6d7h

The package itself is arbitrary code. You're running arbitrary code either way whether it's preinstall, install, post install, or when the package code gets ran.

It's common to need to setup tool chains for code that gets compiled (i.e. a node module that adds language bindings to a C library)

alfiedotwtf
1 replies
6d6h

How is that any different from the VS Code extensions that have one star and are just copies of other extensions… waiting to get high stars and then switch-a-roo? Same goes for browser extensions.

Unless you’re auditing everything while taking Trusting Trust into account, you’re drawing the line somewhere saying “ok I can’t be bothered past this point verifying”.

… everyone has a line somewhere on the trust-but-verify spectrum

wtetzner
0 replies
3d20h

… everyone has a line somewhere on the trust-but-verify spectrum

Sure, and by making the automatic downloads optional, users are given the choice of where they want to draw that line.

nijave
0 replies
6d7h

someone sends a dev at some company, or even a freelancer, some code

The code itself could be malicious and have backdoors. Really you shouldn't run anything untrusted outside a sandbox or some other form of isolation

g-b-r
7 replies
6d11h

GitHub release builds provide no whatsoever guarantee of having been built by GitHub from the corresponding source, if I remember correctly

theultdev
4 replies
6d11h

So the worry is the Zed team themselves will inject something into the binary?

broeng
3 replies
6d11h

The xz backdoor was an example of exploiting this disconnect. It was not present in the repository, it was inserted only into the release artifacts. Anyone getting xz by checking out the repository and building it themselves, would not be affected by it.

nijave
2 replies
6d7h

I think that's a slight mischaracterization. It was present in the repo but obfuscated and rigged to only apply in release artifacts.

A sufficiently technical user could have found it but that bar was pretty high to clear.

nijave
0 replies
5d7h

Right but it was injected from data in a "corrupt" xz file in the repo under certain conditions

This injects an obfuscated script to be executed at the end of configure. This script is fairly obfuscated and data from "test" .xz files in the repository.

The files containing the bulk of the exploit are in an obfuscated form in tests/files/bad-3-corrupt_lzma2.xz tests/files/good-large_compressed.lzma committed upstream
g-b-r
0 replies
4d2h

Maybe this whole cryptographic stuff has some use, but all that which was needed was for GitHub to declare when a file was uploaded manually and when by a workflow (specifying which workflow).

This looks so complex that it might well be just smoke and mirrors

eptcyka
5 replies
6d11h

Yes, whenever I’m reading untrusted code, I don’t want to be using a language server - most of them execute arbitrary code, and I do not want that.

theultdev
2 replies
6d11h

Open it in something else then.

If you use Zed you must have known the language server was running when you tried it, how did you think that was happening?

lucianbr
1 replies
6d11h

This kind of article or reddit post and discussion is how you know, at least for some people.

Anyway, you asked who would care. Now the topic has moved to "what to do about it", which is hardly an issue. Of course people who think Zed has a problem will not use it. That does not make it a non-problem.

theultdev
0 replies
6d11h

tbh this "article" looks a lot like a reddit outrage post.

oefrha
1 replies
6d11h

That’s a completely separate concern, it’s not like a new language server is downloaded for each file you open. I don’t know if Zed has a “safe mode” like some other editors, if it doesn’t you should ask for that instead. Unless of course you never open untrusted files in a language you’re familiar with, which would make you extremely peculiar.

eptcyka
0 replies
6d10h

No, but one would be downloaded the first time I'm opening some NPM backdoorfest.

chillfox
2 replies
6d9h

I usually don't use language servers at all. AI auto complete does the same for me faster... So yes, I would like to not download any of them.

brabel
1 replies
6d8h

IntelliJ now comes by default with a local-only AI auto-completer. I noticed that almost always, it "knows" the autocompletion better than the older intellisense.

However, sometimes (very often) you need to explore the API and just check every available method and check their docs to find which one is appropriate to use.

So, even though I can see AI replacing a lot of auto-completions, it just can't replace it completely.

chillfox
0 replies
5d18h

Guess it depends on upon what you do.

I mostly make crud endpoints, so I can remember most of what I need. And for the times when I can't I prefer to view the API docs in a browser.

daghamm
1 replies
6d11h

What if one language server adds a function to use your code for AI training? Are you okay with that as long as it came as a gitthub binary?

And these modern editors introduce another issue with their modularazied design. For each supported language Vscode installs tons of other crap beside the language server itself. And the language server alone has a quite long list of dependencies

https://github.com/golang/vscode-go/blob/master/extension/go...

superb_dev
0 replies
6d10h

I wouldn’t be okay with that, but I doubt I would be able to tell from the download button

teo_zero
0 replies
3d13h

Who wants to approve and configure all of their language servers?

I think you're asking the wrong question. The correct one would be: "who wants to be asked if they want to approve and configure all of their language servers?"

It's not what zed does, it's doing it behind your back!

seeknotfind
0 replies
6d6h

It's okay for a browser to download and use anything from any site, maybe, with mature cross origin policies and billions in security work, but the fact it's done without saying anything is just a bug that can be fixed. Fixing clarity is the real win.

What's really funny is it was found because it was crashing and the user was running another libc. If they're really concerned about 14MB of download, they should add a firewall or something, but they saw it crashing. Finally, all these versions of everything sitting around, nodeJS, glibc, etc, very UNIX, a recipe for small breakages. Though I guess that's just the problem we deal with.

daghamm
38 replies
6d11h

This is what I hate about vscode, and they at least ask for consent. Some of the stuff vscode needs for golang are (to me) developed by Random Joe on github. It's just a matter of time before it is abused for supply chain attacks.

pjmlp
20 replies
6d11h

Go suppport on VSCode was originally done by an intern at Microsoft, and then later there was an agreement with Google, for Google Go team to take over it.

ayewo
19 replies
6d10h

No wonder. Of all the languages I code in in VSCode, Golang is the most frustrating to use as I can’t jump to definitions with Cmd + Click the way I can in JS, PHP or Java.

It there a decent alternative for Golang on the Visual Studio Code marketplace?

oefrha
7 replies
6d10h

Golang... I can’t jump to definitions with Cmd + Click

That’s absolutely false. Did you refuse to install gopls or something?

alias_neo
5 replies
6d10h

I think they must have, it's not quite on the level of Goland, but VSCode with all the necessary extensions works well for Go, and doesn't eat 32GB of my RAM to do it.

oefrha
4 replies
6d10h

That would be quite funny. In a thread about additional components being installed without prompts, a user jumps out to complain about missing functionality in another editor because they refused to install an additional component when prompted.

alias_neo
2 replies
6d9h

Quite. VSCode asks with a little pop-up in the bottom right (for me, on Gnome) when you open a project that might benefit from a particular component, and you can accept or decline it.

It tells you what/why it's needed, it's up to you to accept or decline, but you should accept that things won't work well if you don't.

I'm no Microsoft fan (quite the opposite), but VSCode handles this about as well as anything could.

bippihippi1
1 replies
6d9h

except for giving network access to extensions having no way to audit if not open source.

rfoo
0 replies
6d6h

oh come on, if an extension comes with no source code it means it comes with a native binary (because otherwise it's JavaScript and there, are, no, good, JavaScript, obfuscation, in, this, world, period), and does it really matter if it has network access ??? it may as well just inject cryptominer to your ~/.bashrc.

avarun
0 replies
6d10h

Yeah I wonder why developers feel the need to auto install components…

brabel
0 replies
6d8h

Exactly. By the way, use F12 instead of clicking :).

Even on emacs, using gopls, `Meta+.` (go to definition) works.

I use some VS Code (when I need to do web stuff besides Go), some emacs, and both use gopls so support is pretty much equivalent in terms of functionality.

vergessenmir
5 replies
6d10h

Jetbrains has a decent golang IDE. I don't use it because I use Vim. Vim's not for everyone.

kmarc
2 replies
6d9h

I do the same (not for golang tho). However, vim plug-ins also "have network access", in fact they can just "system()" and call anything. No sandboxing at all. At least the source code of these plug-ins are not obfuscated/compressed.

However, this makes me wonder how much of a surface attack this is.

rfoo
1 replies
6d6h

Do you pin your plugins down to commit hash?

kmarc
0 replies
6d2h

I did in the past.

Now I just run `:PlugUpdate` and hope that whatever comes from GitHub, is seen by the manyeyeballs. I certainly don't check all the diffs.

veeti
0 replies
6d9h

Did you try IdeaVim?

mu53
0 replies
6d8h

Their ideavim plugin is pretty good. I didn't know at first, but it support an .ideavimrc file that allows you to set your own commands. Pretty much anything that you can do in a jetbrains product is connected to a command id that you can connect to a vim shortcut.

Include the most popular vim plugins as well. Easy motion and Nerdtree. Doesn't support language specific plugins, but core jetbrains products covers that

karolist
3 replies
6d10h

I can confirm it is frustrating experience overall, I've moved on to GoLand and later to IntelliJ with Go plugin for Go development and never looked back. Sadly IDEA products fall apart for me in projects where multiple technologies are used, i.e. tailwind, Ruby, anything with JS, so I can't ditch VSCode yet...

xvinci
1 replies
6d8h

Can you elaborate on that, at least for js? We are a large (1k) fullstack development company and do all of our js / typescript SPAs and others on Intellij and I am not aware of it being an unpleasant experience.

karolist
0 replies
6d8h

I do not have much experience with this as I've switched just a month ago, but for my codebases the editor tends to turn all project files red a few times a day and I have to use the "Restart IDE" and "Invalidate caches" quite often, this never happens with just Go codebase. It's a shame these actions have to even exist in IDE, it's like they know there's a bug in caching mechanism but can't find it, and no, I'm not using any fancy networked filesystems, just native macOS directories.

On another point I spent 2 hours setting up a Ruby interpretter because no matter what I did Intellij would not recognise my RVM ruby, I think compiling without yjit and setting up a specific gemset for the project plus a few Restart IDE and Invalidate caches later did it, but not sure.

For tailwind specifically the extension is lacking compared to VSCode, I do not have color squares for my color classes and the classes are not recognized in more difficult filetypes (i.e. erb templates). Many other extensions seem much less loved than on VSCode, i.e. continue.dev, you can read their reviews and quickly get a sense that it's much more niche ecosystem.

I love the editor experience overall and especially for Go projects, but can't switch fully yet.

nijave
0 replies
6d7h

If you're using IDEA with plugins for each technology you should be able to add submodules which get their own interpreter.

You may need to add interpreters first then there's a modules page in project settings you can select path and tool

shzhdbi09gv8ioi
0 replies
6d10h

Of all the languages I code in in VSCode, Golang is the most frustrating to use as I can’t jump to definitions with Cmd + Click the way I can in JS, PHP or Java.

Odd, what extensions are you using? I use only go.dev extension and intellisense has been working great for golang dev for years.

jazzyjackson
8 replies
6d10h

yea I was recently dismayed to find vscode extensions have full network access and there's no way to prevent it. It's been an open issue since 2018 and not on the roadmap.

https://github.com/microsoft/vscode/issues/52116

michaelt
4 replies
6d8h

Is that something people really expect of their IDEs these days?

In my mind, an IDE needs to be able to read all the files I can read myself, it needs to be able run arbitary tools like compilers and linkers then run the resulting compiled code, it needs a debugger that can attach to running processes and mess with them, it needs to be able to pull from the language's package repository when you ask it to, it needs to talk to your git server when needed, it needs access to your SSH keys to do that. About the only thing the IDE doesn't need is to run as root - and if you're working with Docker it basically needs that too.

The idea of an IDE with pluggable language support safely running plugins from untrusted sources? I can't imagine how such a thing could even be possible?

myaccountonhn
0 replies
6d6h

Well a permission model is one way, like OSes have. Another is something like elm with controlled effects, so you can just search the source code and see if something is off.

jazzyjackson
0 replies
5d18h

Having network access from within the IDE so I can use tools that reach out to package managers and remote git servers - yes, of course that is expected behavior.

If I want to install an extension that gives me syntax highlighting and code intelligence for an obscure template language, why should I expect that extension to have unfettered network access to exfiltrate my ptivate files?

Like the dead guy said, when working with private customer data it's just not on the table to take the risk, I am stuck running vanilla vs code.

anotherpov_ta
0 replies
6d5h

Just adding another point of view.

I'm a data scientist, intrinsic to my job is to work with private data that is usually vital to the company or 3rd party, the thought of running any plugins/software from untrusted sources is just insane in this environment.

Basically anything that isn't in the internal repository is a big no, so that rules out the pulling from the language package repository.

Access to the git server is handled at network level outside the workstation, I can only access a few services anyway, not regular internet access, the ssh keys are only valid for a period of time & current project, preconfigured in an image.

Some of us just have different needs.

II2II
0 replies
6d6h

A different (Visual Studio Code) example that uses network access and runs executables from untrusted sources: embedded development. You have everything from tools like PlatformIO, that manages the toolchain for microcontrollers from multiple vendors; to ESP-IDF, that manages the toolchain for microcontrollers based upon multiple architectures; to Raspberry Pi Pico, which uses the IDE as a simplified installer for their toolchain.

With some compilers leaning on user side, rather than system side, toolchain management (e.g. Rust), I would imagine that plugins managing that would be desirable as well.

Keep in mind, computers are about automation. We should be able to reap the benefits of that automation to the greatest degree possible. Alas, we can't due to bad actors.

api
1 replies
6d7h

The idea of everything on a system having open net access is going to have to go, not just for this reason but also privacy. It’s kind of amazing it’s still the default everywhere.

Also supply chain attacks are a freight train barreling down the tracks. The gate is down and the crossing bells are dinging but our car is stuck on the tracks.

Ever since the xz thing almost worked every black hat group on the entire planet is trying their hand at this. The days of software dev as a high trust environment are going to be over fast.

Conimene
0 replies
5d10h

The days of software dev as a high trust environment are going to be over fast.

That's good

Quite tired of being the only one in my org with outbound firewall rules

rbut
0 replies
6d5h

At our org we run code-server in docker with no network access except pre-allowed DNS, and a white listed squid proxy, due to this.

It works really well for us and prevents potentially bad extensions, python libraries, etc exfilling our code, data, etc.

andrepd
3 replies
6d7h

I just want a dumb text editor that doesn't bundle shitton of crap I don't want (like LLMs), doesn't phone home, isn't bloated and slow. I feel that still the only good editor that does this apart from vim+emacs is sublime text.

moe_sc
0 replies
6d4h

Kate comes to mind.

moe_sc
0 replies
6d4h

Kate comes to mind.

jasmes
0 replies
6d6h

I've been using Sublime more and more lately when I'm not in a JetBrains IDE. I can't feel a difference between it's speed and Zed's on my machines. If I could get Supermaven in it I'd SWITCH completely.

arp242
2 replies
6d10h

Some of the stuff vscode needs for golang are (to me) developed by Random Joe on github.

Pretty much all of it seems to be on golang.org, github.com/google, or are by people working on gopls. The suggestions that there are tons of dependencies from random people is just not true.

tjpnz
0 replies
6d9h

Pretty much all of it isn't remotely the same as all of it.

elAhmo
0 replies
6d10h

Comment states some of the tools, not tons of dependencies. Your comment that "pretty much all" is not a contradiction of what the parent comment said.

juliangmp
0 replies
6d11h

Not sure if it was always like that, the C/C++ extension used to download the language server and some tools during startup as well. They now bundle it with the extension, which is a lot better especially in an offline environment.

coolgoose
20 replies
6d12h

I don't get why having a modal for each tool asking for consent is too hard.

whazor
6 replies
6d11h

Because people want a fast out of the box editing experience. Not clicking yes for every language server.

But what they should have is a CDN with their own extensions and verified binaries. This way they can ship new versions of extensions without bumping their editor version.

mhd
3 replies
6d11h

Not clicking yes for every language server.

How many language servers are we talking about here for the average dev? Three?

theultdev
2 replies
6d11h

Yes, but you would have it for each time you opened a new workspace.

The only point of this would be if you didn't want to download the language server for untrusted code.

I think what people really want is workspace location permissions...

Ygg2
1 replies
6d10h

Wait, what. Why should you keep downloading Node per workspace? If you have one installed already?

theultdev
0 replies
6d2h

Not downloading, but enabling. The downloading of Node isn't really the issue that people are trying to make it.

The real problem is "running" the language server on untrusted code. That's where there should be a confirm dialog.

But it's a separate issue about workspace permissions.

That's the only vulnerability here and it exists on at least one some level in all editors in language servers. (VSCode's workspace permissions aren't that secure)

tjpnz
0 replies
6d9h

Because people want a fast out of the box editing experience. Not clicking yes for every language server.

That strikes me as more of a UX problem. Doing a bunch of sketchy things behind the user's back is absolutely not a solution though.

herrkanin
0 replies
6d10h

The versions should generally match what's specified in the user's package.json. It doesn't make much sense then to have a separate registry.

diego_sandoval
6 replies
6d11h

Because it would turn into the popup fest that is vscode.

chillfox
4 replies
6d9h

I can't remember the last time I saw a popup in vscode, maybe last year.

DangitBobby
3 replies
6d6h

Do you use it?

chillfox
2 replies
5d18h

Every day. Guess I just configured it differently to how most people do it.

DangitBobby
1 replies
5d16h

I see a pop up for an update or extension that isn't working anymore pretty much every time I open it.

chillfox
0 replies
5d11h

Well, that sucks. You should probably use a different editor that works better for you.

loa_in_
0 replies
6d11h

All it takes is a "yes to all this session" button, which is way better than just doing it quietly.

cedws
5 replies
6d10h

I don’t want that. Popups are one of the reasons I stopped using VSCode. They drive me nuts. Just let me write code.

usr1106
2 replies
6d9h

Just let others silently run code on my computer? Sorry, but not for me.

jeroenhd
1 replies
6d9h

Isn't that the point of downloading an editor in the first place? Not having to write your own editor code?

usr1106
0 replies
6d9h

The point was silently.

switch007
0 replies
6d6h

The popups in VScode seem explicitly intended to annoy.

Why is showing the release log the default for so many things? Is the average user really going to read them?

It makes you wonder what they are doing with all that telemetry

brabel
0 replies
6d8h

It annoys me a lot as well, though it took me a couple of minutes to turn off the popups.

Once you've done that, it's similar to emacs for me, everything has to be evoked via a shortcut (or Action Palette which works very well in VS Code). The shortcut to show "help" or "docs" is Cmd+K Cmd+I, by the way - easy to type and remember...

alberth
9 replies
6d6h

While I share similar concerns, I also want to point out that:

  - Zed is (currently) free
  - still pre 1.0 release
  - being developed quickly by a small group of developers
For those of us who enjoy Zed, we should give appreciation for what they have created.

As someone who's maintains OSS myself, the onslaught of people who can swarm in fast to piss on your hard/long efforts can demoralize you.

So let's be kind in our words (and tone) to these folks.

bcardarella
8 replies
6d5h

I just don't buy this argument. None of what you've listed gives the right to install binaries without permission. A simple opt-in notification could resolve this but they decided against this for ease of use. Free or not, pre 1.0 or not, small team or not this puts users at risk for a pretty bad attack vector.

alberth
7 replies
6d5h

If DockYard.com had a security incident for a free/beta service, I'm sure you'd want users to show some compassion.

(It doesn't make it right, all I'm saying is - showing compassion goes a long way with developers while they re-evaluate)

bcardarella
2 replies
6d3h

Actually, I'll do one better. For a rather large framework we are developing an engineer at DY introduced a somewhat similar problem. A binary was being installed, from a trusted source in this case but a binary was being compiled/installed none the less. It never made its way to an actual release and I personally took the time to change this approach so that we weren't installing binaries on people's machines without their permission. We now pre-compile and vendor. This approach likely isn't what Zed can do as in this case we can target just Intel/Apple Silicon machines but the point here is I recognized the problem and rather than just hand-wave dismiss it as a #wontfix I took responsibility for it and fixed it myself. It cost money, it cost time. I still fixed it because that's the right thing to do.

https://github.com/liveview-native/liveview-client-swiftui/p...

Compassion for those putting others in harms way is such a stupid take.

threatofrain
1 replies
6d1h

For security, what’s the difference between prepackaging a binary vs downloading later?

bcardarella
0 replies
6d1h

Vendoring the binary guarantees that I control what is running. It isn't installed, just run locally from the lib. I'll quote the OP issue on GH:

Now I found that it downloads (here) even some proprietary binary from https://supermaven.com, i.e. unaudited and unauditable code, without any verification (except TLS)!

This opens Zed up to Man In The Middle attacks and Supply Chain attacks. And now that Zed has indicated that they won't fix the door is wide open to these vulnerabilities.

yamumsahoe
1 replies
6d4h

oh god, no. users exist to give you money and feedback, not emotional support.

when your software enters other people's personal devices, their concern is their safety, security, and privacy, not your feelings.

AA-BA-94-2A-56
0 replies
3d23h

I actually completely agree with you, although at the very least users can be expected to not be rude. Although, I don't think anyone in this thread (so far) has been rude.

bcardarella
0 replies
6d3h

We don't cut corners like this so no, that wouldn't happen

bcardarella
0 replies
6d3h

I'll add that security incidents through mistakes happen. Conscious decisions to punt on user security in the name of faster release cycles isn't something I am willing to have compassion on.

as-cii
5 replies
6d9h

Hey, Antonio here. Co-founder at Zed.

Sorry that we haven't replied to that GitHub issue yet. We try our best to listen to the community (here, on GitHub, on Discord, ...), but we're a small team and, admittedly, it's tricky to keep up with everything.

I agree that we should ask users for consent before downloading language servers (and other executables).

For everybody who's come across the ticket here or on Reddit and hasn't worked with the Zed codebase yet, let me provide some context on how language support is implemented.

In Zed, we have three ways of supporting a language (and its language servers):

1. Extensions that users can install from the `zed-extensions` repository [0]

2. Pre-bundled extensions that ship with the Zed binary, but still need to be installed [1]

3. Built-in language support [2].

For (2) and (3), the code is owned by the Zed team and we make a conscious effort to review contributions from the community in that area.

That code can automatically download language servers, but we try to vet which exact scripts/binaries are downloaded from where. For example: we heavily use rust-analyzer ourselves and keep up to date with its releases, the Go language server `gopls` is downloaded from the Go team using the official `go` tooling, the ESLint language server comes from Microsoft, etc.

For the longest time, we only had built-in language support (3). A couple of months ago, we shipped extensions for Zed (point 1 and 2 above, parts of it described in [3]). The goal was for built-in language support (3) to gradually move to pre-bundled extensions (2) so that users had the ability to choose which ones to install. We did make some progress, but we haven't ported all languages yet.

We're a small team and can only do so many things at once. So after investing quite a bit of time into extensions, we chose to pause that work and invest into other areas for a while (porting Zed to Linux, for example). Once those areas are in a better state, we plan to come back to extensions, build them out some more, and port the remaining languages.

So, TL;DR: we hear you loud and clear. We try to vet things that are currently installed automatically. But we agree that we should ask users whether they want to install arbitrary binaries on their computer. We also plan to transition all language support to manually-installed extensions once we finish other projects.

[0]: https://github.com/zed-industries/extensions

[1]: https://github.com/zed-industries/zed/tree/main/extensions

[2]: https://github.com/zed-industries/zed/tree/main/crates/langu...

[3]: https://zed.dev/blog/language-extensions-part-1

sakisv
0 replies
6d8h

Hi Antonio, thanks for Zed, love it.

If I may offer a small piece of feedback based on your comment here:

Apart from its speed, the single thing I loved about Zed and made it stand out from the likes of vscode, was the built-in language support.

This made for a great first time experience where I didn't have to search and download anything and everything was working out of the box.

In fact it was so good an experience, that when I had to download another thing for terraform support, it struck me as much more annoying than usually

Reading that your plan is to move in the exact opposite direction is disappointing and, I'm sorry to say, I hope it doesn't come to pass.

nijave
0 replies
6d7h

I think some middle ground might be including an extension lock file that gets committed to the repo. For internal projects, users will get auto configured by trusting the other internal users that setup the repo.

For external projects, users need to trust the project they're pulling down anyway since it's arbitrary code.

That would also help mitigate the risk of supply chain attacks (since versions are pinned and ideally verify package integrity)

jarule
0 replies
4d13h

I've seen this guy on the Zed YouTube channel, and yeah, dude loves to talk for hours without saying anything useful.

ishaanbahal
0 replies
6d8h

Thanks for this response. Zed is awesome, haven't been able to switch to it full-time due to [1] https://github.com/zed-industries/zed/issues/5065, but do appreciate what's being built.

It's a new product, which is clearly seeing quick changes every week, so hopeful you'll get to this one soon. The internet will always be extreme around any issue, and make it seem like the end of the world, to those folks, maybe try zed again later? It's still a good editor to keep in mind.

Although one minor thing about this, getting users accustomed to this flow and then later asking for consent might also raise issues, like this one, just with a more "Zed now prompting for every little thing" in future. So might want to keep that in mind.

Loving zed for go development (especially with a decent suite of Vim bindings), just haven't been able to use things like Flutter , due to lack of debug support, which VSCode does quite well (albeit crashes a bunch).

cowl
0 replies
6d8h

this answer makes things even worse. "we are a small team so its ok for us to expose your pc to risks".

If you dont have the bandwidth to do things securely dont do them at all.you are asking the devs to wait until you have time to return to it to plug the holes you have opened because you needed a bulletpoint for your release.

and this is not just a lack of time, its your attitude in regard to the devs, see also the optout telemetry for another example of total lack of respect for privacy.

notorandit
3 replies
6d7h

Being it binary or not, it doesn't make any difference.

It's the "modern times" craze about plugins pulled from different unauditable, unknown sources. The fact that it is on GitHub or any other "publicly available" source it is irrelevant.

I keep using vim and Kate and manually install anything I need form my distro (Arch Linux) repos. If it is not there, then, sorry I cannot use it.

alfiedotwtf
2 replies
6d7h

This is a fallacy though, unless you’re also code reviewing all of the Archb libraries you pull down

zamadatix
1 replies
6d6h

I think the main add of distro repositories is the repo maintainers sit as a review step between you and the project updates on e.g. GitHub, not that it enables you to better audit the code yourself. I'm not sure it's really all that effective in practical terms though.

alfiedotwtf
0 replies
5d15h

Distros raise the probability that something will get caught, but it’s only that - increasing your chances not getting pwned… it’s still not bulletproof

AlexDragusin
3 replies
6d11h

We created the hackable text editor, Atom, and the pioneering software platform that launched an entirely new generation of desktop apps, Electron.
lpcvoid
2 replies
6d10h

I'd rather wish they hadn't to be honest

AlexDragusin
1 replies
6d6h

That's the point I was trying to make :)

airhangerf15
0 replies
6d4h

I agree. Electron is cancer. They're proud of creating Javascript Cancer.

haddr
2 replies
6d6h

Zed is supposed to be a lightweigh and fast text editor. That was my hope when trying it. This is not the case. When I was editing some JS or HTML file I noticed that my laptop is quite warm. I checked all processes and there was some node process taking up 100% of one of CPUs. It was some language server running in the background in some non-efficient way. The problem with Zed is that its mission is to be "engineered for performance", while in the background they cut corners and run some heavy unoptimized stuff. I think this is not a right strategy, even cosindering it is still in beta.

DrBazza
1 replies
6d6h

The language server isn't part of Zed though is it? You should report the issues on their github page.

haddr
0 replies
6d6h

it is not, but as the title says: it all happens in the background, without you being aware what happens.

The good thing is that this can be turned off with this option: "enable_language_server": false

xpe
1 replies
6d7h

Zed is my favorite editor, but I'm not going to minimize concerns that people raise simply because I think the editor is stupefyingly awesome overall.

Questions: What control does a user have right now over what gets installed automatically? What are the levers we can pull to get more control? (These levers include configuration options, pushing back on the project, and so on.)

P.S. Not that this is an excuse, but VS Code's security posture (sandboxing, prompting users, etc.) probably didn't happen overnight without user pressure. Who knows the history?

xpe
0 replies
6d4h

Some highlights from the Github issues thread [1]:

Ideally you would be able to turn off auto-download but still be able to use a [language server] if it’s already on the users system.

There is not a binary choice between "friendly to end users" and "secure". You can have your cake and eat it too. The main thing that should be considered is less of a user facing popup or preference (where opt-in vs. opt-out is an issue, as is noise & friction), but developer facing options. If Zed offered compile time configuration this could be fixed to everybody's satisfaction. Distros could ship a pre-configured package with all the dependencies already provided so that the user experience is just "install and run" while also not having an app that downloads (or attempts to download) binaries behind teh users back. Meanwhile if Zed wants to ship a binary package upstream that defaults to downloading things they can.

[1]: https://github.com/zed-industries/zed/issues/12589

throwaway202407
1 replies
6d6h

This was also documented here, nearly 1-year ago:

https://github.com/zed-industries/zed/discussions/6659

Where there is a VSCode theme importer for Zed.

And what it does is silently install a Home Brew package and attempt to execute it on your machine.

biosboiii
1 replies
6d11h

Not asking the user for consent for software updates is quite common.

My corpo rejects a lot software, because they do exactly that.

zarzavat
0 replies
6d10h

Yes for first party updates. This is different. This is for third party extensions.

rs_rs_rs_rs_rs
0 replies
6d9h

At this point I really believe we need a consent popup after every letter typed, got forbid you typed a wrong letter.

perryizgr8
0 replies
6d7h

There is a balance between asking too many confirmations and not asking at all. VS code had this feature called "Workspace Trust" or something like that. It was so incredibly annoying. Always asking me for my own repos or repos which are in my org, if I trust the authors. I ended up disabling it completely and it will remain that way. I hope Zed finds a way to strike the balance in a better way than bombarding the user with confirmations, otherwise I'll be completely disabling that too, probably to the detriment of the security of my computer.

mapcars
0 replies
6d7h

Zed is version 0.1-something, you can't expect them realistically have their own maintained packages at this stage. And these things do happen when you use software at the early stages, just wait for 1.0 and see what happens then.

legobeet
0 replies
6d6h

The security side of free editors and IDEs is not great anywhere today for JS development. Once you start wanting more features and integrations, you start facing an apparent choose-any-2 of security, convenience, and productivity.

I don't think it has to be this way. I think we can have both better compartmentalization and tighter workflow integration without having it becoming a part-time job.

Here is my ongoing attempt at addressing the issue, currently scoped for neovim[0]:

https://github.com/legobeat/l7-devenv

(I did share this to crickets as a Show HN the other day, hope it's on-topic enough to OK to reshare here)

[0]: The same framework should, at least in theory, be extensible to do something similar with Code/VSCodium. While working on this I realized there is some overlap with their Dev Containers and am yet to look into if and how one would run those in a similar fashion and if they could be leveraged to the same end

jarule
0 replies
6d7h

This is why you never want to sell to developers.

james1120000
0 replies
3d5h

I lost my investment capital and profits trading online, they kept on requesting for extra funds before a withdrawal request can be accepted and processed, in the end, I lost all my money. All efforts to reach out to their customer support desk had declined, I found it very hard to move on. God so kind I followed a broadcast that teaches on how scammed victims can recover their fund through the help of Gavin ray a recovery specialist, I contacted his email provided for consultation, I got feedback after some hours and I was asked to provide all legal details concerning my investment, I did exactly what they instructed me to do without delay, to my greatest surprise I was able to recover my money back including my profit which my capital generated. I said I will not hold this to myself but share it to the public so that all scammed victims can get their funds back. Contact his email:gavinray78@gmail.com or whatsapp +1 352 322 2096

idk1
0 replies
5d11h

This might be a very very silly question so bear with me, why would it need to download these binaries? I'm on sublime text atm, and I can't think of a reason why it would download anything other than the app itself or an update to the app when I'm asked. I know that might sound very stupid and I'm sorry.

WuxiFingerHold
0 replies
6d2h

They could ask during install whether silent installation of LSPs should be done or whether Zed should ask explicitly for every LSP.

With Zed, I have another issue. I don't understand which niche it is trying to fill. The advertising story doesn't convince me. The performance bottlenecks are typically the LSPs after all, not if text is rendered in 10 or 20 ms. Startup time is secondary. Yes, memory usage is a concern. I get that and that's where Zed is miles ahead of VS Code and Jetbrains IDEs. But overall I think:

- If you want easy and free, go VS Code.

- If you want ultimate IDE features and mouse and GUI, go Jetbrains.

- If you want ultimate productivity, follow this beautiful guide: https://lazyvim-ambitious-devs.phillips.codes/

DanielVZ
0 replies
6d9h

This broke Zed for me and had to go back to Neovim at my workspace. The corporate AV software was going crazy with all these automated downloads and installations. It wasn’t blocking them but just vetting them was taking so long, I just didn’t find it worth using